3-source extractors, bi-partite Ramsey graphs, and other explicit constructions Boaz barak rOnen shaltiel Benny sudakov avi wigderson Joint work with GUY KINDLER Institute for Advanced Study

In this talk: Explicit constructions are very important. Explicit constructions are very important. Randomness extraction is also important. Randomness extraction is also important. Our results, concerning explicit constructions of randomness extraction objects. Our results, concerning explicit constructions of randomness extraction objects. Something about the techniques. Something about the techniques.

The importance of being explicit  [Erdos] The probabilistic method: show that a random object has a wanted property with positive probability.  Example: [Shanon48] optimal error-correcting codes exist.  Great result, but no applications.  A random code is not efficiently computable.  We need explicit (efficiently computable) codes.

The importance of being explicit  Why are explicit constructions so hard?  (Why is the probabilistic method so powerful)?  My answer: Because the family of explicitly constructible objects is tiny, and also very complex.  Why be explicit?

explicit construction problems  Some of the profound problems of computer science are of explicit constructions. Derandomization of BPP. Complexity lower bounds.  We need new tools/ideas for explicit constructions.  Great example: SL=L !  We have some new tools and ideas! Very difficult Problems!

We’ve Done: Explicit constructions are very important. We need new explicit construction tools. Next: About randomness extraction.

alg About randomness  Why Randomness: for algorithms (theory and practice), and cryptography (absolutely essential!).  Analysis requires unbiased, independent random bits. (m-bit strings) I=(011…010) r=( )r

alg About randomness  Why Randomness: for algorithms (theory and practice), and cryptography (absolutely essential!).  Analysis requires unbiased, independent random bits. (m-bit strings) I=(011…010) r Analysis says nothing in this case! (set of size 2  m )

About randomness  Randomness can be weak because of: Bad sources: clock/keystroke, electrostatic noise, yesterday’s news, process id’s.. Measurement: bits, heat of components, voltage, sound.. Intervention: bit-fixing, temperature, radio waves..  [Goldberg, Wagner `96] Broke netscape’s ssl protocol using its poor random source. alg r r

Randomness extraction (m-bit strings) I=(011…010) r Solution [shannon] : extract m pure bits from n>m imperfect bits.

alg Randomness extraction I=(011…010) Solution [shannon] : extract m pure bits from n>m imperfect bits. (n-bit strings) ext |X|>>2 m (m-bit strings) X x Polnomial time! We want of ext: |X|>>2 m   ext(x)~U m ext(x)

alg Randomness extraction I=(011…010) (n-bit strings) ext (m-bit strings) X x Problem: No such thing! We want of ext: |X|>>2 m   ext(x)~U m

alg Seeded extractor I=(011…010) (n-bit strings) ext (m-bit strings) X x

alg Seeded extractor I=(011…010) (m-bit strings) (n-bit strings) ext X x Good for:  Simulating BPP using weak sources. Problems:  Blowup  Doesn’t work for cryptography

k-source extractor alg I=(011…010) (m-bit strings) (n-bit strings) ext x2x2 x1x1 X1X1 X2X2 We want: |X 1 |, |X 2 | “large”  ext(x 1,x 2 )~U m Such things exist!

We’ve seen: Wild-grown randomness can be very weak. Wild-grown randomness can be very weak. Extracting pure randomness from one source – not possible. Extracting pure randomness from one source – not possible. Extraction from two or more independent sources may be possible. Extraction from two or more independent sources may be possible.next: (Some of) our results – extraction from three sources, and Ramsey construction for two sources. (Some of) our results – extraction from three sources, and Ramsey construction for two sources.

-source extractor for rate : k-source extractor for rate  : r(X 1 ),..., r(X k )   Pr[ext(x 1,..,x k )=0]= Pr[ext(x 1,..,x k )=1]  0.1 0/1 Entropy and entropy rate (n-bits) (m-bits) ext x2x2 x1x1 X1X1 X2X2 We want: |X 1 |, |X 2 | “large”  ext(x 1,x 2 )~U m X 1, |X 1 |  2  n X 2, |X 2 |  2  n H(X 1 )  n r(X 1 )  -partite Ramsey for rate : k-partite Ramsey for rate  : r(X 1 ),..., r(X k )   Pr[ext(x 1,..,x k )=0]>0, Pr[ext(x 1,..,x k )=1]>0

-source extractor for rate : k-source extractor for rate  : r(X 1 ),..., r(X k )   Pr[ext(x 1,..,x k )=0]= Pr[ext(x 1,..,x k )=1]  0.1 Entropy and entropy rate 0/1 (n-bits) ext x2x2 x1x1 X 1, |X 1 |  2  n X 2, |X 2 |  2  n

-source extractor for rate : k-source extractor for rate  : r(X 1 ),..., r(X k )   Pr[ext(x 1,..,x k )=0]= Pr[ext(x 1,..,x k )=1]  0.1 Results: past and current (n bits) 0/1 ext X 1, |X 1 |  2  n X 2, |X 2 |  2  n  [Chor+Goldreich, Vaz ’85]: -source extractor for entropy rate.  [Chor+Goldreich, Vaz ’85]: 2-source extractor for entropy rate  >1/2.  Long time: -barrier not broken.  Long time: 1/2-barrier not broken.  [BIW ‘03] Extractor for constant, with -sources.  [BIW ‘03] Extractor for constant , with k(  )-sources.  We get: -source extractor, for any constant entropy rate.  We get: 3-source extractor, for any constant entropy rate .  For 2 sources: Bipartite Ramsey for all constant !  For 2 sources: Bipartite Ramsey for all constant  ! Bipartite Ramsey for rate : Bipartite Ramsey for rate  : r(X 1 ),r(X 2 )  , Pr[Ram(x 1,x 2 )=0]>0, Pr[Ram(x 1,x 2 )=1]  >0

the bipartite Ramsey problem n x 2 n x1x1 Pr[0],Pr[1]>0 0/1 (n-bits) Ram x2x2 x1x1 X 1, |X 1 |  2  n X 2, |X 2 |  2  n

the bipartite Ramsey problem n x 2 n x1x1 x2x2 Pr[0],Pr[1]>0 0/1 (n-bits) Ram x2x2 x1x1 X 1, |X 1 |  2  n X 2, |X 2 |  2  n

the bipartite Ramsey problem n x 2 n x1x1 x2x2 Pr[0],Pr[1]>0 0/1 (n-bits) Ram x2x2 x1x1 X 1, |X 1 |  2  n X 2, |X 2 |  2  n

the bipartite Ramsey problem n x 2 n |X 1 |  2  n X1X1 Pr[0],Pr[1]>0 0/1 (n-bits) Ram x2x2 x1x1 X 1, |X 1 |  2  n X 2, |X 2 |  2  n

the bipartite Ramsey problem n x 2 n |X 1 |  2  n X2X2 Pr[0],Pr[1]>0 0/1 (n-bits) Ram x2x2 x1x1 X 1, |X 1 |  2  n X 2, |X 2 |  2  n

the bipartite Ramsey problem n x 2 n |X 1 |  2  n X2X2  [chor+goldreich ’85].  [chor+goldreich ’85]  >1/2.  We get: any constant.  We get: any constant . Pr[0],Pr[1]>0 0/1 (n-bits) Ram x2x2 x1x1 X 1, |X 1 |  2  n X 2, |X 2 |  2  n

We have: First extractor with number of sources independent of entropy rate. First extractor with number of sources independent of entropy rate. First explicit bipartite Ramsey graph for rate < ½. First explicit bipartite Ramsey graph for rate < ½. Several other results and constructions. Several other results and constructions.next: How to break the ½ barrier with const. number of sources. How to break the ½ barrier with const. number of sources. A 4-source extractor.

(s=  n-bits) A dream 2-source extractor |Y 1 |  2 0.9s con (n-bits) |X 1 |  2  n x1x1

Vaz (s-bits) (n-bits) con x2x2 |X 2 |  2  n (s=  n-bits) A dream 2-source extractor |Y 1 |  2 0.9s con (n-bits) |X 1 |  2  n x1x1 |Y 2 |  2 0.9s (100 bits) Problem: No such thing!

Vaz (n-bits) con x2x2 |X 2 |  2  n BREAKING THE ½ BARRIER : a somewhere condenser con (n-bits) |X 1 |  2  n x1x1 (3 times s) ( 3=3(  ) ) ( 3 times s) ( 9 times 100) Constant entropy rate. Constant number of bits! New! Key component! 1 2 3

Vaz (n-bits) con x2x2 |X 2 |  2  n A 2-source somewhere extractor con (n-bits) |X 1 |  2  n x1x1 ( 3 times s) ( 9 times 100) Somewhere extractor

0/1 Opt the 4-source extractor (900 bits) Somewhere extractor (900 bits)

x 1 x 2 +x 3 The BIW lemma |X 1 |  2  m |X 2 |  2  m |X 3 |  2  m x2x2 x3x3 y [BIW] [BIW] X 1,X 2,X 3 independent  r(Y)>min{  +  2, 1 } (3 x m-bits) (m-bits) Y, |Y|  2  (1+  )m x1x1

x 1 x 2 +x 3 (n/3) X4X4 Somewhere condenser x4x4 X1X1 X2X2 X3X3 x1x1 x2x2 x3x3 ( 3 x (n/3) ) (n-bits) |X|  2  n x [Thm] [Thm] max( r(X 1 ), r(X 2 ), r(X 3 ), r(X 4 ) )  min{  +  2 /10, 1 }

Somewhere condenser X1X1 X2X2 X3X3 x1x1 x2x2 x3x3 ( 3 x (n/3) ) (n-bits) |X|  2  n x |X 1 |. |X 2 |. |X 3 |  |X|  (r(X 1 )+r(X 2 )+r(X 3 ))/3  r(X)   If strong enough inequality here, we’re done! If equality holds then X 1, X 2, X 3 are independent!

x 1 x 2 +x 3 X1X1 X2X2 X3X3 x1x1 x2x2 x3x3 ( 3 x (n/3) ) (n/3) X4X4 Somewhere condenser x4x4 (n-bits) |X|  2  n x [BIW] And by [BIW], we’re done!

0/1 4 - source extractor Y2Y2 y2y2 Y3Y3 y3y3 Y4Y4 y4y4 Y1Y1 y1y1 Bipartite Ramsey – the general idea (n-bits) x2x2 |X 2 |  2  n (n-bits) |X 1 |  2  n x1x1

P-selector 0/1 4 - source extractor Y2Y2 y2y2 Y3Y3 y3y3 Y4Y4 y4y4 Y1Y1 y1y1 Bipartite Ramsey – the general idea (n-bits) x2x2 |X 2 |  2  n (n-bits) |X 1 |  2  n x1x1

IN Summation: Somewhere condenser: key to breaking ½ barrier. Somewhere condenser: key to breaking ½ barrier. Lots of more work to get bipartite Ramsey. Lots of more work to get bipartite Ramsey. Testing entropy, then using it: not a stupid idea.. Testing entropy, then using it: not a stupid idea..Open: 2-source extractor, 2-source extractor, 17-source extractor with no “opt” and small error. 17-source extractor with no “opt” and small error. seeded extractor with polynomially small error. seeded extractor with polynomially small error.

Other results: Ramsey-coloring for affine subspaces of dim.  n. 7 source extractor for linear number of bits. a zero error 2-source disperser for loglog(n) bits. a 2-source disperser for linear number of bits.